Systems and Methods for Use in Computer Network Security

ABSTRACT

Systems and methods are provided for managing data across a network based on multiple keys assigned to different participants in association with the data. One exemplary method includes identifying, by an originating party, a relying party, identifying data relevant to at least one interaction between the originating party and the relying party, and encrypting the data based on a secret. The method also includes generating a key set based on the secret, where the key set has at least three keys and is structured such that the secret is derivable from at least two of the at least three keys, and disseminating a first key of the key set and the encrypted data to a control party and disseminating a second key of the key set to the relying party.

FIELD

The present disclosure is generally directed to systems and methods foruse in managing data security across computer networks, and inparticular, to systems and methods for use in managing confidentialelectronic data, such as, for example, personal identifying information(PII), across networks based on multiple keys.

BACKGROUND

This section provides background information related to the presentdisclosure which is not necessarily prior art.

People, in general, are associated with identities (including personalidentifying information (PII)). The identities are, at least in part,secrets particular to the people, which may be shared by the people withother people or entities to facilitate one or more interactions. Forexample, a person may share his/her identity with a banking institutionto acquire an account with the banking institution. As identities areshared, both in person and electronically, secure storage andmaintenance of the identities is important to guard them from beingdiscovered by unauthorized users. In connection therewith, it is knownto employ block chain, for example, to secure digital identities. What'smore, in certain instances, identities may be encrypted, where a key maybe used to encrypt and decrypt data associated with an encryptedidentity, such that unauthorized access to the encrypted identity aloneis insufficient to reveal the actual data, secret, etc. associatedtherewith.

DRAWINGS

The drawings described herein are for illustrative purposes only ofselected embodiments and not all possible implementations, and are notintended to limit the scope of the present disclosure.

FIG. 1 is an exemplary system of the present disclosure suitable for usein managing data across a network, based on key sets;

FIG. 2 is a block diagram of a computing device that may be used in theexemplary system of FIG. 1;

FIG. 3 is a flow diagram for an exemplary method, which may beimplemented in connection with the system of FIG. 1, for managing dataacross a network based on key sets; and

FIG. 4 is a flow diagram for an exemplary method, which may beimplemented in connection with the system of FIG. 1, for use inaccessing encrypted data across a network based on key sets.

Corresponding reference numerals indicate corresponding parts throughoutthe several views of the drawings.

DETAILED DESCRIPTION

Exemplary embodiments will now be described more fully with reference tothe accompanying drawings. The description and specific examplesincluded herein are intended for purposes of illustration only and arenot intended to limit the scope of the present disclosure.

Personal identifying information (PII) is often transferred acrosscomputer networks, or stored within computer networks, as a means offacilitating interactions between participants to the transfers (e.g.,including users or entities generating the PII, storing the PII,disseminating the PII, viewing the PII, or performing operations withrespect to the PII, etc.). When the PII, however, is not securedsufficiently, the PII may be vulnerable to unauthorized users and becomeknown to such unauthorized users, which in turn may cause harm to aperson or entity associated with the PII. For example, where PIIincludes a government ID number, the person associated with thegovernment ID number may be harmed, for example, by identity theft, ifthe information becomes known to an unauthorized user—even if/whenencrypted. This may occur when a single entity holding the informationexposes not only the encrypted PII to the unauthorized user, but also ameans of decrypting or otherwise understanding the encryptedinformation.

Uniquely, the systems and methods herein provide for a distribution ofencrypted data and different keys for the encrypted data among multipleparties, so that multiple different keys are necessary to decrypt andreveal the encrypted data. In particular, an originating party, arelying party, and a control party each possess data, which is encryptedby a key (i.e., a secret). The key is then segregated into a key sethaving three different keys, for example, with one key and the encrypteddata being provided to each of the originating party, the relying party,and the control party. When the relying party wants to receive dataabout the originating party, such as, for example, a credit report, therelying party provides the encrypted data and its key to the controlparty, as part of a request, whereupon the control party uses the keyfrom the relying party and its own key to decrypt the data. The controlparty then responds to the request from the relying party for the creditreport (without necessarily providing the decrypted data to the relyingparty), whereby the relying party may rely, as needed, on the outputfrom the control party to interact with the originating party. In thismanner, even if one of the originating party, the relying party, and thecontrol party is breached and the encrypted data and key are stolen, forexample, the encrypted data and the key are essentially useless withouta key from another, different party. Thus, there is limited or no riskof the encrypted data being revealed. The systems and methods hereinthus provide an improvement to network security through a more robust,efficient, and secure manner of storing and maintaining information,while still permitting access to the information to multiple parties,when appropriate, and while, at the same time, limiting the risk ofunauthorized access to the information posed by the traditionalvulnerability of a single participant controlling encryption/decryptionof the information.

FIG. 1 illustrates an exemplary system 100, in which one or more aspectsof the present disclosure may be implemented. Although the system 100 ispresented in one arrangement, other embodiments may include the parts ofthe system 100 (or other parts) arranged otherwise depending on, forexample, relationships among different participants, particular types ofdevices utilized to pass and/or store keys, information, etc., types ofinformation to be maintained, privacy requirements, etc.

As shown in FIG. 1, the illustrated system 100 generally includes acontrol party 102, an originating party 104 (broadly, a user), and arelying party 106. Each of the control party 102 and the relying party106 includes (or is associated with) a computing device, coupled toand/or in communication with a network 108. In addition, the originatingparty 104 is associated with a communication device 110, which is alsocoupled to and/or in communication with the network 108. The network 108may include, for example, one or more of, without limitation, a localarea network (LAN), a wide area network (WAN) (e.g., the Internet,etc.), a mobile network, a virtual network, and/or another suitablepublic and/or private network capable of supporting communication amongtwo or more of the parts illustrated in FIG. 1, or any combinationthereof.

In general, the originating party 104 includes an entity and/or person,which originates, owns, and/or provides data that is intended to bemaintained as confidential and not shared with others, unless directedor permitted by the originating party 104. In this exemplary embodiment,the data includes PII related to the originating party 104. The PII ofthe originating party 104 may include different attribute data, whichdistinguishes the originating party 104, alone or in combination, fromone or more other parties/users. Exemplary attribute data may include,without limitation, a name of the originating party 104, a mailingaddress, a birthdate, contact information (e.g., a phone number, anemail address, etc.), a birthplace, genetic information, member IDnumbers, payment account numbers, IP addresses, national identificationnumbers, vehicle identification numbers, biometrics (e.g., fingerprints,facial images, etc.), a government ID number (e.g., a social securitynumber, etc.), or any other desired attribute or personal identifyinginformation of the originating party 104, etc. In addition, theattributes of the PII of the originating party 104 may be evidenced byone or more physical documents, such as, for example, a passport, agovernment issued ID, a social security card, a health insurance card, abank statement, an employee ID, a library card, a utility bill, etc.

Also in the system 100, and as indicated above, the originating party104 is associated with the communication device 110. In the illustratedembodiment, the communication device 110 includes a share application112, which is a network-based and/or network-enabled application. Inconnection therewith, the communication device 110 is configured, by theshare application 112, to interact with the control party 102 and therelying party 106, as described in more detail below (e.g., tofacilitate encryption of PII, sharing of PII, etc.). The shareapplication 112 may be created, provided and/or disseminated by thecontrol party 102, alone or in connection with an application providedand/or disseminated by a third party (e.g., included and/or integratedwith an application with additional features or functionalities (e.g., abanking application, etc.), etc.). In general, the originating party 104will sign up or register to the control party 102, through the shareapplication 112 (i.e., with the control party 102 being and/or providinga backend for the share application 112) upon download and/orinstallation of the share application 112 (or later). In this manner,the originating party 104 is known to the control party 102 through theshare application 112.

The relying party 106 in the system 100 includes any entity and/orperson, which receives the PII from the originating party 104 andexpects and/or intends to rely on the PII for one or more purposes. Theone or more purposes may relate to one or more arrangements and/orinteractions between the originating party 104 and the relying party106, or otherwise, whereby the originating party 104 (or an aspect/factassociated with the origination party (e.g., a credit score, etc.)) isto be identified to the relying party (broadly, identificationinteraction) (e.g., a banking interaction between the originating party104 as a consumer user and the relying party 106 as a financialinstitution (e.g., to open an account, applying for a loan, etc.),interaction(s) related to business between the parties, interaction(s)to request and/or apply for services (e.g., related to utilities,telecommunications, health, etc.), etc.). In the illustrated embodiment,the relying party also includes a share application 114, which is anetwork-based and/or network-enabled application. In connectiontherewith, the share application 114 of the relying party 106 may be thesame as or different than the share application 112 of the originatingparty 104. But like above, the share application 114 associated with therelying party 106 is provided to configure the relying party 106, i.e.,as implemented in a computing device, to operate as described herein(e.g., to facilitate encryption of PII, sharing of PII, etc.). In thismanner, the share application 114 is also created, provider, ordisseminated by the control party 102, whereby the share application 114may be a standalone application, be part of an application from thecontrol party 102 and employed by the relying party 106, or be includedin a software development kit (SDK) to be integrated with anotherapplication or tool of the relying party 106.

And, the control party 102 in the system 100 is configured to cooperatewith the originating party 104 to disseminate encrypted PII andcorresponding keys to the relying party 106.

For example, the originating party 104 may desire to provide certaindata, such as, for example, PII (e.g., a government ID number specificto the originating party 104, etc.) or other data specific to theoriginating party 104, to the relying party 106. To do so, theoriginating party 104 initially accesses the share application 112,whereby the communication device 110, as configured by the shareapplication 112, solicits the originating party 104 to identify therelying party 106 (e.g., solicit a selection of the relying party 106(from a listing or pull down of available relying parties) (or an entryof the relying party 16) to which the identity (or PII) of theoriginating party is to be shared, etc.). In addition, the communicationdevice 110, as configured by the share application 112, solicits theoriginating party 104 to identify and/or designate particular data to beshared with the relying party 106. In response, the originating party104 identifies the relying party 106 and the data to be shared with therelying party 106, through one or more inputs to the communicationdevice 110. In other words, the originating party provides the desireddata to the communication device 110, and specifically, to the shareapplication 112, and thereafter decides to share the data with therelying party 106.

When the relying party 106 and the data to be shared is identified, thecommunication device 110, as configured by the share application 112,encrypts the data based on a secret (e.g., a private key, etc.) and thengenerates a key set from the secret, where the key set includes multipledifferent keys. In this exemplary embodiment, in particular, thecommunication device 110, as configured by the share application 112, isconfigured to generate the secret, to encrypt the data based on thesecret, and then to generate the key set to include multiple differentkeys (e.g., three keys including a first key, a second key, and a thirdkey; etc.), for example, based on the secret and a Shamir secret sharingalgorithm. Specifically, the key set is generated, in such a manner,that multiple, but less than all, of the multiple different keys may beused to decrypt the encrypted data. That is, for example, where, the keyset includes three different keys, only two of the keys are necessary todecrypt the data, but one key, alone, would be insufficient to decryptthe data. Stated generally, the key set is generated based on the Shamirsecret sharing algorithm and the secret to have N keys, where N is aninteger greater than 2 (e.g., 3, 4, 5, etc.). The secret, then, may bederived (i.e., is derivable) from N−1 of the keys in the key set. Inanother example, where the key set includes five different keys (i.e.,N=5), the keys may be generated through the Shamir secret sharingalgorithm, and based on the secret, in such a manner than three or moreof the keys (e.g., N−1 or N−2 keys, etc.) may be used to decrypt thedata, but two or less keys would be insufficient to decrypt the data. Asshould be appreciated, the key set may include a different number ofkeys in other examples consistent with the above, but, again, less thanall keys in the key set will be required to decrypt the secret, uponwhich the key set is generated.

In turn, in the example where the key set includes three different keys,the communication device 110, as configured by the share application112, stores the first key of the key set along with the encrypted datain memory associated therewith (e.g., local memory at the communicationdevice 110, etc.). In addition, the communication device 110, asconfigured by the share application 112, transmits (or disseminates) thesecond key, with or without the encrypted data, to the control party102, whereupon the control party 102 is configured to receive and storethe second key and the encrypted data (when alsotransmitted/disseminated) in memory associated therewith. Further, thecommunication device 110, as configured by the share application 112,transmits (or disseminates) the third key (and, in some embodiments, theencrypted data) to the relying party 106 (as identified by theoriginating party 104), whereupon the relying party 106, as configuredby the share application 114, receives and stores the key (and encrypteddata, when also included) in memory associated therewith.

Optionally, the communication device 110 may be further configured, bythe share application 112, to provide/transmit a token, such as, forexample, an originating party ID, an email address, a phone number,etc., to the relying party 106 with the third key (and the encrypteddata, when also included) to identify the third key and/or encrypteddata to the originating party 104. When the token is provided, orincluded with the third key and/or encrypted data, the relying party106, as configured by the share application 114, may store the third keyand/or the encrypted data in associated with the token, so that therelying party 106 may retrieve the third key and/or encrypted data basedon the token when presented therewith. The token may also betransmitted, by the communication device 110, to the control party 102for use in the same or similar manner (e.g., with the second key andencrypted data, when also included, being stored by the control party102 in association with the token, so that the control party 102 maysubsequently retrieve the second key and/or encrypted data based on thetoken when presented therewith; etc.).

In connection with the above example, the originating party 104 mayexpect and/or intends to interact with the relying party 106, forexample, to open a credit account with the relying party 106 (or takepart in some other interaction(s) with the relying party 106, be itfinancial-related or otherwise). When the originating party 104 requeststhe credit account, in this example, the relying party 106, asconfigured by the share application 114, determines a credit score isnecessary to open the account, and then locates the encrypted data (whendisseminated to the relying party 106 by the originating party 104) andthe key for the originating party 104 (e.g., based on the token (e.g.,as submitted by the originating party 104 with the credit accountrequest, etc.), etc.) and submits a request for the credit score to thecontrol party 102 (broadly, a verification request). The request for thecredit score includes the third key and the encrypted data and/or token,as originally provided to the relying party 106 by the originating party104 (however, it is contemplated that in at least one embodiment, therequest from the relying party 106 may only include the third key, forexample, where the control party 102 already includes the correspondingencrypted data).

In response, the control party 102 is configured to retrieve the secondkey from memory (e.g., based on the token, or not; etc.) and to derivethe secret and then to decrypt the encrypted data received from therelying party 106 (or additionally retrieve the encrypted data from thememory when the relying party 106 does not transmit the encrypted datawith the third key), through use of the second key (provided to thecontrol party 102 by the originating party 104) and through use of thethird key received from the relying party 106. When the data isdecrypted, the control party 102 is configured to use the decrypted datato verify the identity of the originating party (e.g., based on a name,address, birthdate, of other data included in the verification request,etc.) and, when the identity is verified, to respond to the request fromthe relying party 106. For example, the control party 102 may beconfigured to submit a request for a credit score (i.e., run a creditcheck) to a credit bureau based on use of the decrypted data (e.g., agovernment ID, etc.), in order to respond to the verification requestrelated to the originating party 104. In turn, the control party 102 isconfigured to receive a response (from the credit bureau) that includesthe credit score (e.g., from the credit bureau, etc.), and pass thecredit score (or an indication of a range of the credit score) back tothe relying party 106 in response to the original request. In thisexample, the information included in the reply from the control party102 to the relying party 106 (i.e., the credit score or range thereof)is based on the encrypted data originally provided by the originatingparty 104 but does not actually include the encrypted data. In otherexamples, the information included in the reply may additionally (oralternatively) include at least some or all of the actual encrypted dataitself (instead of merely being “based on” the encrypted data).

In response, the relying party 106 may be configured to rely on theresponse from the control party 102 and continue to process associatedwith the originating party's request to share the information with theoriginating party 104 (e.g., the application for the new account, etc.).

With that said, it should be appreciated that various different requests(e.g., relating to different interactions between the originating party104 and the relying party 106, etc.) may be provided, from the relyingparty 106 to the control party 102, which rely on the encrypted dataheld by the control party 102 and/or the relying party 106 inassociation with the originating party 104, and whereby the encrypteddata is suitable for decryption by the multiple keys of the key set.

It should also be appreciated that the originating party 104 may desireand/or intend to alter, modify, or confirm, etc. the encrypted data thatis to be provided to (or that has already been provided to) the controlparty 102 and/or the relying party 106, whereupon the originating party104 may provide the encrypted altered data (as part of a request) or arequest to confirm the existing encrypted data to the control party 102or the relying party 106, along with the first key (and, in one or moreembodiments, the token), via the communication device 110, as configuredby the share application 112. In response, when the request is providedto the control party 102, for example, the control party 102 isconfigured to retrieve the second key for the originating party 104 frommemory (e.g., based on the token provided by the originating party 104with the altered data, or not; etc.) and to decrypt the encryptedaltered data with the second key and with the first key received fromthe originating party 104. The control party 102 is configured to thenupdate the existing data for the originating party 104 and/or confirmthat data, as appropriate, based on the received request. In connectiontherewith, when the request relates to updating or modifying existingencrypted data, the control party 102 may be configured to, upon receiptof the altered data, to decrypt the encrypted data, update the data asnecessary, and then encrypt the data all with the second key (storedtherein) and the first key received from the originating party 104 withthe altered data. It should be appreciated that the control party 102may be further configured to further encrypt the data based on, forexample, an RSA (Rivest-Shamir-Adleman) key, etc., in addition to theabove encryption. Thereafter, the control party 102 is configured tostore the encrypted data (i.e., the encrypted altered data) in memory,in association with the second key (and, in one or more embodiments, inassociation with the token of the originating party 104), for later usein response to a request from the relying party 106. What's more, thecontrol party 102 may further store the encrypted data in one or moresecure manners in the memory therein (e.g., via standard processes suchas a hardware security module (HSM), etc.).

FIG. 2 illustrates an exemplary computing device 200 that can be used inthe system 100 of FIG. 1. The computing device 200 may include, forexample, one or more servers, workstations, personal computers, laptops,tablets, smartphones, etc. In addition, the computing device 200 mayinclude a single computing device, or it may include multiple computingdevices located in close proximity or distributed over a geographicregion, so long as the computing devices are specifically configured tofunction as described herein. In the exemplary embodiment of FIG. 1,each of the control party 102, the relying party 106, and thecommunication device 110 associated with the originating party 104includes and/or is implemented in one or more computing devicesconsistent with computing device 200. However, the system 100 should notbe considered to be limited to the computing device 200, as describedbelow, as different computing devices and/or arrangements of computingdevices may be used in other embodiments. In addition, differentcomponents and/or arrangements of components may be used in othercomputing devices.

Referring to FIG. 2, the exemplary computing device 200 includes aprocessor 202 and a memory 204 coupled to (and in communication with)the processor 202. The processor 202 may include one or more processingunits (e.g., in a multi-core configuration, etc.). For example, theprocessor 202 may include, without limitation, a central processing unit(CPU), a microcontroller, a reduced instruction set computer (RISC)processor, an application specific integrated circuit (ASIC), aprogrammable logic device (PLD), a gate array, and/or any other circuitor processor capable of the functions described herein.

The memory 204, as described herein, is one or more devices that permitdata, instructions, etc., to be stored therein and retrieved therefrom.The memory 204 may include one or more computer-readable storage media,such as, without limitation, dynamic random access memory (DRAM), staticrandom access memory (SRAM), read only memory (ROM), erasableprogrammable read only memory (EPROM), solid state devices, flashdrives, CD-ROMs, thumb drives, floppy disks, tapes, hard disks, and/orany other type of volatile or nonvolatile physical or tangiblecomputer-readable media. The memory 204 may be configured to store,without limitation, identity attributes, secrets, encrypted data, keysets, keys, tokens, and/or other types of data (and/or data structures)suitable for use as described herein. Furthermore, in variousembodiments, computer-executable instructions may be stored in thememory 204 for execution by the processor 202 to cause the processor 202to perform one or more of the functions described herein, such that thememory 204 is a physical, tangible, and non-transitory computer readablestorage media. Such instructions often improve the efficiencies and/orperformance of the processor 202 and/or other computer system componentsas specifically configured, but such instructions, to perform one ormore of the various particular and unique operations herein. It shouldbe appreciated that the memory 204 may include a variety of differentmemories, each implemented in one or more of the functions or processesdescribed herein.

In the exemplary embodiment, the computing device 200 also includes anoutput device 206 that is coupled to (and is in communication with) theprocessor 202 (however, it should be appreciated that the computingdevice 200 could include one or more additional output devices otherthan the output device 206, etc.). The output device 206 outputsinformation (e.g., prompts to identify relying parties to receive shareddata, or to identify data to be shared, etc.), visually or audibly, forexample, to a user of the computing device 200, etc. And, variousinterfaces (e.g., as defined by share applications 112 and/or 114, etc.)may be displayed at computing device 200, and in particular at theoutput device 206, to display certain information in connectiontherewith. The output device 206 may include, without limitation, apresentation unit such as a liquid crystal display (LCD), alight-emitting diode (LED) display, an organic LED (OLED) display, an“electronic ink” display, etc.; or another output device such as aspeaker, another computer, etc.; etc. In some embodiments, the outputdevice 206 may include multiple devices.

In addition, the computing device 200 includes an input device 208 thatreceives inputs from the user (i.e., user inputs) of the computingdevice 200 such as, for example, inputs by the originating party 104 tothe communication device 110 to identify the relying party 106, toidentify data to be shared, etc., as further described below. The inputdevice 208 may include a single input device or multiple input devices.The input device 208 is coupled to (and is in communication with) theprocessor 202 and may include, for example, one or more of a keyboard, apointing device, a mouse, a touch sensitive panel (e.g., a touch pad ora touch screen, etc.), another computing device, and/or an audio inputdevice. In various exemplary embodiments, a touch screen, such as thatincluded in a tablet, a smartphone, or similar device, may behave asboth the output device 206 and an input device 208.

Further, the illustrated computing device 200 also includes a networkinterface 210 coupled to (and in communication with) the processor 202and the memory 204. The network interface 210 may include, withoutlimitation, a wired network adapter, a wireless network adapter, amobile network adapter, or other device capable of communicating to oneor more different ones of the networks herein, including network 108,and/or with other devices described herein. In some exemplaryembodiments, the computing device 200 may include the processor 202 andone or more network interfaces incorporated into or with the processor202.

FIG. 3 illustrates an exemplary method 300 for use in managing dataacross a network based on key sets. The exemplary method 300 isdescribed as implemented in the control party 102, the originating party104, and the relying party 106 of the system 100. Reference is also madeto the computing device 200. However, the methods herein should not beunderstood to be limited to the system 100 or the computing device 200,as the methods may be implemented in other systems and/or computingdevices. Likewise, the systems and the computing devices herein shouldnot be understood to be limited to the exemplary method 300.

Initially in the method 300, the originating party 104 decides tointeract with the relying party 106, whereby the interaction(s) is(are)dependent on data associated with the originating party 104, such as,for example, PII, other information specific to the originating party104, etc. For purpose of illustration, the data to be relied upon inthis example includes, generally, a government ID number for theoriginating party 104, such as, for example, a social security number,and a mailing address for the originating party 104. With that said, theoperations of method 300 are described below with reference to thecommunication device 110 and/or the share application 112. In thismanner, it should be understood that either or both (in coordination) ofthe communication device 110 and/or the share application 112 may carryout the expressed method operations.

In connection therewith, in the method 300, the originating party 104initially accesses the share application 112, at the communicationdevice 110, and provides an input associated with the relying party 106,whereby the communication device 110 (and/or the share application 112)identifies, at 302, the relying party 106 as a party to whichoriginating party's data is to be accessible. In so doing, theoriginating party 104 may be presented with an interface, at thecommunication device 110 (and in particular, at the output device 206),as defined by the share application 112, which includes a drop-down menu(or box) from which multiple different available relying parties may beselected. The listing of available relying parties may be generated byregistration of the relying parties (e.g., onboarding of the relyingparties, etc.) to the share application 112, to the control party 102,etc. Alternatively, the originating party may be presented with aninterface, at the communication device 110 (and in particular, at theoutput device 206), as defined by the share application 112, whichincludes a text box where the originating party 104 may enter (via theinput device 208) the name of and/or an identifier for the relying party106, etc., whereby the communication device 110 and/or the shareapplication 112 are then able to identify the relying party 106.

In addition, the originating party 104 selects and/or inputs particulardata to be accessible to the relying party 106, via one or more inputsto the communication device 110 (at the input device 208), whereupon thecommunication device 110 and/or the share application 112 identifies, at304, the originating party's data to be accessible to the relying party106 (e.g., data relevant to at least one interaction (e.g., anidentification interaction, etc.) between the originating party 104 andthe relying party 106, etc.). In connection therewith, the originatingparty 104 may maintain, add, enter, or provide a variety of data at orto the share application 112, which may then be selected by theoriginating party 104, at 302, or which may then be otherwise providedby the originating party 104, via one or more inputs from theoriginating party 104 (i.e., user inputs), as data to be shared,directly or indirectly, with the relying party 106. As noted above, inthis example the data includes a government ID number for theoriginating party 104 and the address of the originating party 104(e.g., identifying data specific to the originating party 104, etc.).However, it should be appreciated that the data may also, oralternatively, include, without limitation, one or more of a name of theoriginating party 104, a birthdate of the originating party 104, contactinformation (e.g., a phone number, an email address, etc.) for theoriginating party 104, a birthplace of the originating party 104,genetic information for the originating party 104, member ID numbers forthe originating party 104, payment account numbers for the originatingparty 104, IP addresses for the originating party 104, nationalidentification numbers of the originating party 104, vehicleidentification numbers for the originating party 104, biometrics (e.g.,fingerprints, face, etc.) of the originating party 104, or any otherdesired attribute or PII of the originating party 104, etc.

With that said, the originating party may select the particular data, inwhole or in part, to be accessible to the relying party 106 (i.e.,actively or by default). In general, the originating party 104 mayselect and/or provide data, which is related to a potential relationshipand/or interaction with the originating party 104. In the currentexample, where the originating party 104 is attempting to open a creditaccount with the relying party 106 (e.g., as a banking institution,etc.), a membership ID number for the originating party 104 at a thirdparty may not be relevant, but the originating party's government IDnumber associated with his/her credit score, along with the originatingparty's mailing address, may be relevant. Here, the particular dataincludes the government ID number for the originating party 104, whichis 111-22-333, and the mailing address for the originating party 104,which is 321 Main Street, City, State, 98765.

With continued reference to FIG. 3, when the relying party 106 isidentified at the share application 112, and the data to be accessibleto the relying party 106 is identified, the communication device 110and/or the share application 112 encrypts, at 306, the identified datawith a secret. Specifically, for example, the communication device 110,via the share application 112, generates a private key (broadly, thesecret), which is unknown outside of the communication device 110, andapplies the private key, as an encryption key, to the identified data,thereby encrypting the data, at 306. The private key (or, moregenerally, the secret) may be any suitable type of key and may begenerated by any suitable manner, often, for example, based on aspecification and/or standard for the encryption of the data as isgenerally known. An exemplary secret, or private key, which may begenerated by the communication device 110 for use in encrypted desireddata is depicted in Table 1.

TABLE 1 Private Key1234567890123456789012345678901234567891234567891231231231312332

With that said, for example, the particular data to be encrypted usingthe secret may include a social security number for the originatingparty 104 (e.g., 111-22-3333, etc.). The communication device 110 maythen encrypt the particular data, using the secret, based on theAdvanced Encryption Standard (AES) cipher algorithm in Cipher BockChaining (CBC) mode (or, other suitable encryption algorithm (e.g.,symmetric encryption, etc.), such as, for example, AES-Galois/CounterModes of Operation (GCM), etc.). In connection therewith, Table 2illustrates such particular data, as may be encrypted.

TABLE 2 Encrypted Data ftP9iZTEuq3b1yjVIX/fXQ

Once the data is encrypted, the communication device 110 and/or theshare application 112 generates, at 308, a key set (including multiplekey parts) for the secret, or in this example, the private key, by useof the Shamir secret sharing algorithm. It should be appreciated that adifferent algorithm may be used in other examples, so long as thealgorithm is used to generate a key set having multiple different keys,where at least two or more of the keys, but less than all keys in thekey set, are necessary for decryption of the encrypted data (asencrypted by the given private key). In this example, by use of theShamir secret sharing algorithm, the communication device 110 and/or theshare application 112 generates a key set, based on the private key,having three keys (where the encrypted data may be decrypted by any twoof the three keys of the key set). Table 3 includes a key set of threeexample keys, which may be generated based on the private key from Table1 and the Shamir secret sharing algorithm.

TABLE 3 Key Number Key Parts for Private Key 1st Key1893406259193755982513605164082942194180302997995987918560377850 2nd Key198828017578858317633510791297676709625581020986903871456641181 3rd Key857666386649157511134770276479384335914649451091660558785706699

In addition to the encrypted data and the key set, the communicationdevice 110 and/or the share application 112, in this example, generates,retrieves or otherwise provides, at 310, a token associated with theoriginating party 104. The token may include, without limitation, aunique identifier or ID for the originating party 104, an email addressof the originating party 104, a phone number of the originating party104, or another suitable sequence of characters (e.g., alpha, numeric,or both, etc.) associated with or corresponding to the originating party104. Thereafter, at 312, the communication device 110 and/or the shareapplication 112 stores a first key of the key set in the memory (e.g.,memory 204, etc.) of the communication device 110, in association withthe token. In so doing, the communication device 110 and/or shareapplication 112 may further store the encrypted data in the memory, inassociation with the token, as desired and/or needed. Then, thecommunication device 110 and/or the share application 112 deletes orotherwise removes the private key from the communication device 110. Assuch, it should be appreciated that once the data is encrypted and thekey set is generated, the key set is the only viable, or suitable,manner by which the encrypted data is to be decrypted.

Next in the method 300, the communication device 110 and/or the shareapplication 112 disseminates, at 314, the remaining individual keys ofthe key set, alone, or with the encrypted data and/or the token, to theparties intended to rely on and/or use the encrypted data. Specifically,as shown in this example in FIG. 3, the communication device 110 and/orthe share application 112 disseminates (at 314) the second key alongwith the encrypted data and/or the token to the control party 102. Inresponse, the control party 102 stores the second key, the encrypteddata (if provided), and the token (if provided) in memory associatedtherewith (e.g., the memory 204, etc.), whereby the second key may beretrieved, from the memory, based on the token when provided. And,likewise, as shown in FIG. 3, the communication device 110 and/or theshare application 112 disseminates (at 314) the third key along with theencrypted data and/or the token to the relying party 106. In response,the relying party 106, and in particular, the share application 114, atthe computing device of the relying party 106, receives and stores thethird key, the encrypted data (if provided), and the token (if provided)in memory associated therewith (e.g., the memory 204, etc.), whereby thethird key may be retrieved, from the memory, based on the token whenprovided.

It should be appreciated that the communication device 110 and/or theshare application 112 may further disseminate keys of the key set, alongwith the encrypted data and/or the token to additional relying partiesand/or control parties that are to be included in maintaining theencrypted data as accessible. In at least one embodiment, the token isnot provided by the communication device 110 and/or the shareapplication 112, to the relying party 106, as it is provided otherwise,or already known to the relying party 106 (e.g., in connection with anapplication for a credit account, etc.). In one or more otherembodiments, the token may not be provided or used at all.

With that said, based on method 300, the control party 102, theoriginating party 104 (at the communication device 110), and the relyingparty 106 each possess a key from the key set originally generated basedon the secret (or private key in the above example), by which theencrypted data associated with the originating party 104 was encrypted.It should also be appreciated, again, that the keys from the key set arethe only remaining means by which the encrypted data is to be decrypted.It should further be appreciated that the originating party 104 maytraverse the method 300 as often as desired and/or required, wherebydifferent key sets may be associated with different encrypted data, withdifferent keys and/or different encrypted data intended for differentrelying parties. In connection therewith, for example, the control party102 may include several, multiple, or more instances of encrypted dataand keys for the originating party 104.

FIG. 4 illustrates an exemplary method 400 for use in accessingencrypted data, across a network based on key sets. The exemplary method400 is described as implemented in the control party 102, with referenceto the originating party 104 and the relying party 106 of the system100. Reference is also made, again, to the computing device 200.However, the methods herein should not be understood to be limited tothe system 100 or the computing device 200, as the methods may beimplemented in other systems and/or computing devices. Likewise, thesystems and the computing devices herein should not be understood to belimited to the exemplary method 400. The method 400 is also describedwith reference to the keys of the key set included in Table 3, whichwere generated based on the private key in Table 1 and disseminated inthe method 300 to each of the control party 102, the originating party104, and the relying party 106.

As shown in the illustrated method 400, when the originating party 104interacts with the relying party 106 (e.g., after the operations ofmethod 300 are performed, etc.), for example, to open the credit accountfor the originating party 104, the relying party 106, and in particular,the share application 114 at the computing device thereof, submits, at402, a request to the control party 102 in association with theencrypted data. In this example, the request includes a request for acredit report from the control party 102. In so doing, the requestincludes at least the third key of the key set, but may also include thetoken, the encrypted data or other suitable information (e.g., relatedto the specific request, or the originating party 104, etc.), or both.It should be appreciated that the request may be related to, orassociated with, any aspect of the data encrypted by the originatingparty 104, whether included in the encrypted data and known to thecontrol party 102, or accessible to the control party 102 based on theencrypted data.

In turn in the method 400, at 404, the request (from the relying party106 and including at least the third key of the key set) is received bythe control party 102. In response to the request, the control party 102retrieves, at 406, the second key from its memory (e.g., the memory 204,etc.) and also the encrypted data (if not included in the request) fromits memory (e.g., the memory 204, etc.). In so doing, the control party102 may identify the encrypted data and the second key based on thetoken received from the relying party 106 (when provided) or based onother information about the originating party 104 (e.g. as included inthe request, etc.). And, at 408, the control party 102 thenreconstructs, or derives, the secret (or private key) based on thesecond key of the key set (from its memory) and the third key of the keyset (from the relying party 106 in the request). This is accomplished,for example, again using the second and third keys and the Shamir secretsharing algorithm (when used to generate the key set).

Then, at 410, the control party 102 decrypts the encrypted data throughuse of the derived secret and the AES-CBC mode (or, other suitableencryption algorithm (e.g., symmetric, etc.), such as, for example,AES-GCM, etc. (as used for encryption)). In this example, the controlparty decrypts the encrypted data to obtain the government ID number forthe originating party 104 (e.g., 111-22-3333, etc.) and the mailingaddress for the originating party 104 (e.g., 321 Main Street, City,State, 98765, etc.). In turn, based on the decrypted data, the controlparty 102 verifies, at 412, the identity of the originating party 104.In particular, the request from the relying party 106 may include, forexample, a name, mailing address, email address, phone number, birthdateor other identifying information associated with the originating user(or information known to the originating party 104 and included in therequest (e.g., a passcode/password, etc.)). The encrypted data furtherincludes the same information, whereby, upon decryption of the data, thecontrol party 102 is able to verify the identity by matching theinformation in the request to the information included in the decrypteddata. In general, when there is a match, the identity of the originatingparty 104 is verified. If not, the identity of the originating party isnot verified (e.g., meaning a potential fraud occurrence, etc.),whereupon the control party 102 issues a warning, error or notice errorin response to the request to the relying party 106. The relying party106 may proceed accordingly to modify the request and try again or tohalt the interaction(s).

When the originating party 104 is verified, however, the control party102 then determines, at 414, the requested information, either asincluded in the decrypted data or based on the decrypted data. Here,because the request relates to a credit score for the originating party104, the control party 102 submits a request to one or more creditbureau(s) for the credit score (e.g., runs a credit report, etc.), basedon the decrypted data, where the credit score request includes thegovernment ID number of the originating party 104 and the mailingaddress. When the credit score is returned from the credit bureau(s),the control party 102 then compiles a reply to the relying party'srequest (including the credit score, range of credit score, and/or otherinformation requested by the relying party 106) and transmits, at 416,the reply to the relying party 106. In turn, the relying party receivesthe reply including the requested information, at 418, and then proceedsat 420, to process the application or otherwise proceed in theinteractions with the originating party 104, which facilitated theidentity verification of the originating party 104. For example, therelying party 106 may proceed (when the requested information is asexpected or sufficient (as compared to one or more thresholds) to openthe credit account for the originating party. In this manner, the replyby the control party 102 to the request originally provided by therelying party 106 is based on the encrypted data, as decrypted by thecontrol party 102 (i.e., it includes the credit score determined basedon the encrypted data), but does not (in this example) include theactual encrypted data (i.e., it does not include the government IDnumber of the originating party 104 or the mailing address of theoriginating party 104).

It should be appreciated that the type of information requested, by therelying party 106, will often impact and/or define how the control party102 determines the information. In at least one embodiment, for example,the control party 102 may determine that the requested information isincluded in the decrypted data and, as such, may merely transmit thatdata (once decrypted) back to the relying party (either directly, or viaanother round of encryption). For instance, in the above example, thereply by the control party 102 to the request originally provided by therelying party 106 may additionally (or alternatively) include at leastsome of the encrypted data (e.g., the reply may include one or both ofthe government ID number of the originating party 104 and the mailingaddress of the originating party 104, etc.).

In addition, it should be appreciated that that the originating party104 may seek to alter (or modify) or to confirm the information includedin the encrypted data already provided to the control party 102 and/orthe relying party 106, for example, when the data is changed (e.g., apayment account number is changed, a mailing address is changed, etc.).Here, and similar to the above, the originating party 104 may submit arequest to the control party 102 to alter the encrypted data, where therequest includes the new data/information and the first key of theoriginating party's key set. In response, as above, the control party102 retrieves the second key for the originating party 104 and then,instead of decrypting the data, encrypts the new data with the first andsecond key of the key set (if not already encrypted). The control party102 then stores the newly encrypted data in place of the old encrypteddata, whereby upon a further request from the relying party 106, thecontrol party 102 will retrieve and decrypt the newly encrypted data.Alternatively, method 300 may be repeated based on the updated data(where any prior versions of the encrypted data may be deleted andreplace with the updated data provided by the originating party 104).

In view of the above, the systems and methods herein permit securingsensitive data across a network. In particular, the use of the key setrequires that multiple parties are involved in the decryption of thedata, so that a breach of security and/or unauthorized access at oneparty will be insufficient to understand the encrypted data. What'smore, by use of the control party, the relying party may be limited inaccess to the data desired rather than being an unrestricted means tothat data. That is, in the above example, the relying party 106 sought acredit score for the originating party 104. Conventionally, the relyingparty 106 would collect the government ID number of the originatingparty 104 and then seek the credit score (e.g., from a credit bureauthat relies on the government ID to retrieve the credit score, etc.). Inthis manner, the relying party 106 would receive and hold the governmentID number—a potential point of theft of the number—while not actuallyrelying on the number itself. In the systems and methods herein, therelying party 106 is shielded from the government ID number, yet stillable to capture the credit score (i.e., the desired information). Assuch, the systems and methods herein provide for secure networkinteractions which limit and/or reduce the exposure of certain datarelated to an originating party.

Again and as previously described, it should be appreciated that thefunctions described herein, in some embodiments, may be described incomputer executable instructions stored on a computer readable media,and executable by at least one processor. The computer readable media isa non-transitory computer readable storage medium. By way of example,and not limitation, such computer-readable media can include RAM, ROM,EEPROM, CD-ROM or other optical disk storage, magnetic disk storage orother magnetic storage devices, or any other medium that can be used tocarry or store desired program code in the form of instructions or datastructures and that can be accessed by a computer. Combinations of theabove should also be included within the scope of computer-readablemedia.

It should also be appreciated that one or more aspects of the presentdisclosure transform a general-purpose computing device into aspecial-purpose computing device when configured to perform thefunctions, methods, and/or processes described herein.

As will be appreciated based on the foregoing specification, theabove-described embodiments of the disclosure may be implemented usingcomputer programming or engineering techniques including computersoftware, firmware, hardware or any combination or subset thereof,wherein the technical effect may be achieved by performing at least oneof the following operations: (a) identifying, by an originating party, arelying party; (b) identifying data relevant to at least one interactionbetween the originating party and the relying party, the data includingidentifying data specific to the originating party; (c) encrypting, by acomputing device, the data based on a secret; (d) generating, by acomputing device, a key set based on the secret, the key set having atleast three keys and structured such that the secret is derivable fromat least two of the at least three keys; (e) disseminating, by thecomputing device, a first key of the key set and the encrypted data to acontrol party; (f) disseminating, by the computing device, a second keyof the key set to the relying party, whereby the relying party ispermitted to submit a request to the control party, including the secondkey, and whereby the control party is permitted to decrypt the encrypteddata disseminated to the control party, using the first and second keys,in order to respond to the request from the relying party; (g)generating a token and associating the token with the key set, prior todisseminating the first key and the second key; (h) receiving therequest from the relying party, the request including the second key ofthe key set; (i) retrieving, by a second computing device associatedwith the control party, the first key from memory associated with thesecond computing device; (j) deriving, by the second computing device,the secret from the first and second keys; (k) decrypting, by the secondcomputing device, the encrypted data disseminated to the control partybased on the derived secret; (l) transmitting, by the second computingdevice, a reply to the relying party in response to the request, thereply based on the encrypted data as decrypted by the second computingdevice but not including the actual encrypted data; (m) storing a thirdkey of the key set in memory of the computing device; (n) transmitting,by the computing device, a request to the control party to modify and/orconfirm the encrypted data disseminated to the control party, therequest including the third key, whereby the control party is permittedto decrypt the encrypted data using the first and third keys in order tomodify and/or confirm the encrypted data based on the request from theoriginating party; and (o) generating, by the computing device, thesecret prior to encrypting the data based on the secret.

Exemplary embodiments are provided so that this disclosure will bethorough, and will fully convey the scope to those who are skilled inthe art. Numerous specific details are set forth such as examples ofspecific components, devices, and methods, to provide a thoroughunderstanding of embodiments of the present disclosure. It will beapparent to those skilled in the art that specific details need not beemployed, that example embodiments may be embodied in many differentforms and that neither should be construed to limit the scope of thedisclosure. In some example embodiments, well-known processes,well-known device structures, and well-known technologies are notdescribed in detail.

The terminology used herein is for the purpose of describing particularexemplary embodiments only and is not intended to be limiting. As usedherein, the singular forms “a,” “an,” and “the” may be intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. The terms “comprises,” “comprising,” “including,” and“having,” are inclusive and therefore specify the presence of statedfeatures, integers, steps, operations, elements, and/or components, butdo not preclude the presence or addition of one or more other features,integers, steps, operations, elements, components, and/or groupsthereof. The method steps, processes, and operations described hereinare not to be construed as necessarily requiring their performance inthe particular order discussed or illustrated, unless specificallyidentified as an order of performance. It is also to be understood thatadditional or alternative steps may be employed.

When a feature is referred to as being “on,” “engaged to,” “connectedto,” “coupled to,” “associated with,” “included with,” or “incommunication with” another feature, it may be directly on, engaged,connected, coupled, associated, included, or in communication to or withthe other feature, or intervening features may be present. As usedherein, the term “and/or” includes any and all combinations of one ormore of the associated listed items.

Although the terms first, second, third, etc. may be used herein todescribe various features, these features should not be limited by theseterms. These terms may be only used to distinguish one feature fromanother. Terms such as “first,” “second,” and other numerical terms whenused herein do not imply a sequence or order unless clearly indicated bythe context. Thus, a first feature discussed herein could be termed asecond feature without departing from the teachings of the exampleembodiments.

None of the elements recited in the claims are intended to be ameans-plus-function element within the meaning of 35 U.S.C. § 112(f)unless an element is expressly recited using the phrase “means for,” orin the case of a method claim using the phrases “operation for” or “stepfor.”

The foregoing description of exemplary embodiments has been provided forpurposes of illustration and description. It is not intended to beexhaustive or to limit the disclosure. Individual elements or featuresof a particular embodiment are generally not limited to that particularembodiment, but, where applicable, are interchangeable and can be usedin a selected embodiment, even if not specifically shown or described.The same may also be varied in many ways. Such variations are not to beregarded as a departure from the disclosure, and all such modificationsare intended to be included within the scope of the disclosure.

What is claimed is:
 1. A computer-implemented method for use in managingdata across a network based on multiple keys assigned to differentparticipants in association with the data, the method comprising:identifying, by an originating party, a relying party; identifying datarelevant to at least one interaction between the originating party andthe relying party, the data including identifying data specific to theoriginating party; encrypting, by a computing device, the data based ona secret; generating, by a computing device, a key set based on thesecret, the key set having at least three keys and structured such thatthe secret is derivable from at least two of the at least three keys;disseminating, by the computing device, a first key of the key set andthe encrypted data to a control party; and disseminating, by thecomputing device, a second key of the key set to the relying party,whereby the relying party is permitted to submit a request to thecontrol party, including the second key, and whereby the control partyis permitted to decrypt the encrypted data disseminated to the controlparty, using the first and second keys, in order to respond to therequest from the relying party.
 2. The computer-implemented method ofclaim 1, wherein generating the key set includes generating the key setbased on the secret and a Shamir secret sharing algorithm.
 3. Thecomputer-implemented method of claim 2, further comprising generating atoken and associating the token with the key set, prior to disseminatingthe first key and the second key; and wherein disseminating the firstkey an the encrypted data to the control party includes disseminatingthe first key, the encrypted data, and the token to the control party;and wherein disseminating the second key to the relying party includesdisseminating the second key and the token to the relying party.
 4. Thecomputer-implemented method of claim 2, wherein the identifying dataincludes a government ID number associated with the originating party;and wherein the request includes a request for a credit score.
 5. Thecomputer-implemented method of claim 1, further comprising: receivingthe request from the relying party, the request including the second keyof the key set; retrieving, by a second computing device associated withthe control party, the first key from memory associated with the secondcomputing device; deriving, by the second computing device, the secretfrom the first and second keys; and decrypting, by the second computingdevice, the encrypted data disseminated to the control party based onthe derived secret.
 6. The computer-implemented method of claim 5,further comprising transmitting, by the second computing device, a replyto the relying party in response to the request, the reply based on theencrypted data as decrypted by the second computing device but notincluding the actual encrypted data.
 7. The computer-implemented methodof claim 1, further comprising: storing a third key of the key set inmemory of the computing device; and transmitting, by the computingdevice, a request to the control party to modify and/or confirm theencrypted data disseminated to the control party, the request includingthe third key, whereby the control party is permitted to decrypt theencrypted data using the first and third keys in order to modify and/orconfirm the encrypted data based on the request from the originatingparty.
 8. The computer-implemented method of claim 1, further comprisinggenerating, by the computing device, the secret prior to encrypting thedata based on the secret.
 9. A system for use in managing data across anetwork based on multiple keys assigned to different participants inassociation with the data, the system comprising an originating partycomputing device having a memory and a processor coupled to the memory,the processor configured, by executable instructions stored in thememory of the originating party computing device, to: receive, from anoriginating party, an indication of a relying party in connection withan identification interaction of the originating party to the relyingparty; encrypt data based on a secret, the data including identifyingdata specific to the originating party; generate a key set based on thesecret and store the key set in the memory, the key set having at leastthree keys and structured such that the secret is derivable from atleast two of the at least three keys; generate a token associated withthe originating party, the encrypted data and/or the key set;disseminate the token, a first key of the key set, and the encrypteddata to a control party; and disseminate the token and a second key ofthe key set to the relying party, whereby the relying party is permittedto submit a request to the control party, including the token and thesecond key, and whereby the control party is permitted to identify thefirst key based on the token and decrypt the encrypted data disseminatedto the control party, using the first and second keys, in order torespond to the request from the relying party.
 10. The system of claim9, where in the processor of the originating party computing device isfurther configured, by the executable instructions, to generate thesecret prior to encrypting the data based on the secret.
 11. The systemof claim 10, wherein the processor of the originating party computingdevice is configured, by the executable instructions, in connection withgenerating the key set, to generate the key set based on the secret anda Shamir secret sharing algorithm.
 12. The system of claim 9, whereinthe processor of the originating party computing device is furtherconfigured, by the executable instructions, to store a third key of thekey set in the memory of the originating party computing device.
 13. Thesystem of claim 12, further comprising a control party computing deviceassociated with the control party, the control party computing devicehaving a memory and a processor coupled to the memory, the processor ofthe control party computing device configured, by executableinstructions stored in the memory of the control party computing device,to: receive the request from the relying party, the request includingthe second key of the key set; retrieve, from the memory of the controlparty computing device, the first key disseminated to the control partyby the processor of the processor of the originating party computingdevice; derive the secret from the first and second keys; and decryptthe encrypted data based on the derived secret; and transmit a reply tothe request to the relying party, the reply including decrypted dataand/or data accessible based on the decrypted data.
 14. The system ofclaim 13, wherein the request includes at least one of a name, address,phone number and birthdate of the originating party; and wherein thecontrol party computing device is configured to verify the identity ofthe originating party based on the decrypted data and the at least oneof the name, address, phone number and birthdate of the originatingparty, prior to transmitting the reply to the request to the relyingparty.
 15. The system of claim 14, wherein the reply transmitted to therelying party includes at least some of the encrypted data but does notinclude all of the encrypted data.
 16. The system of claim 13, whereinthe processor of the originating party computing device is furtherconfigured, by the executable instructions stored in the memory of theoriginating party computing device, to transmit a request to the controlparty to modify and/or confirm the encrypted data disseminated to thecontrol party, the request including the third key.
 17. The system ofclaim 16, wherein the processor of the control party computing device isfurther configured, by the executable instructions stored in the memoryof the control party computing device, to decrypt the encrypted datausing the first and third keys and to modify and/or confirm theencrypted data based on the request from the processor of theoriginating party computing device.
 18. A non-transitorycomputer-readable storage media including executable instructions foruse in managing data across a network based on multiple keys assigned todifferent participants in association with the data, which, whenexecuted by at least one processor, cause the at least one processor to:identify a relying party; encrypt data based on a secret, the dataincluding identifying data specific to the originating party; generate akey set based on the secret and a Shamir secret sharing algorithm, thekey set having N keys and structured such that the secret is derivablefrom at least N−1 of the N keys, where N is an integer greater than 2;disseminate a first key of the key set and the encrypted data to acontrol party; and disseminate a second key of the key set to therelying party, whereby the relying party is permitted to submit arequest associated with the data to the control party, including thesecond key, and whereby the control party is permitted to decrypt theencrypted data disseminated to the control party, by use of the firstand second keys, in order to decrypt the encrypted data and to respondto the request from the relying party.
 19. The non-transitorycomputer-readable storage media of claim 18, wherein the executableinstructions, when executed by the at least one processor, further causethe at least one processor to: generate a token and associate the tokenwith the key set, prior to disseminating the first key and the secondkey; disseminate the token along with the first key and the encrypteddata to the control party; and disseminate the token along with thesecond key to the relying party.